// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";

// Checks various aspects of the OCSP cache, mainly to to ensure we do not fetch
// responses more than necessary.

var gFetchCount = 0;
var gGoodOCSPResponse = null;
var gResponsePattern = [];
var gMessage = "";

function respondWithGoodOCSP(request, response) {
  do_print("returning 200 OK");
  response.setStatusLine(request.httpVersion, 200, "OK");
  response.setHeader("Content-Type", "application/ocsp-response");
  response.write(gGoodOCSPResponse);
}

function respondWithSHA1OCSP(request, response) {
  do_print("returning 200 OK with sha-1 delegated response");
  response.setStatusLine(request.httpVersion, 200, "OK");
  response.setHeader("Content-Type", "application/ocsp-response");

  let args = [ ["good-delegated", "default-ee", "delegatedSHA1Signer" ] ];
  let responses = generateOCSPResponses(args, "ocsp_certs");
  response.write(responses[0]);
}

function respondWithError(request, response) {
  do_print("returning 500 Internal Server Error");
  response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
  let body = "Refusing to return a response";
  response.bodyOutputStream.write(body, body.length);
}

function generateGoodOCSPResponse() {
  let args = [ ["good", "default-ee", "unused" ] ];
  let responses = generateOCSPResponses(args, "ocsp_certs");
  return responses[0];
}

function add_ocsp_test(aHost, aExpectedResult, aResponses, aMessage,
                       aOriginAttributes) {
  add_connection_test(aHost, aExpectedResult,
      function() {
        clearSessionCache();
        gFetchCount = 0;
        gResponsePattern = aResponses;
        gMessage = aMessage;
      },
      function() {
        // check the number of requests matches the size of aResponses
        equal(gFetchCount, aResponses.length,
              "should have made " + aResponses.length +
              " OCSP request" + (aResponses.length == 1 ? "" : "s"));
      }, null, aOriginAttributes);
}

function run_test() {
  do_get_profile();
  Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
  Services.prefs.setIntPref("security.OCSP.enabled", 1);
  Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 4);
  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");

  let ocspResponder = new HttpServer();
  ocspResponder.registerPrefixHandler("/", function(request, response) {

    do_print("gFetchCount: " + gFetchCount);
    let responseFunction = gResponsePattern[gFetchCount];
    Assert.notEqual(undefined, responseFunction);

    ++gFetchCount;
    responseFunction(request, response);
  });
  ocspResponder.start(8888);

  add_tests();

  add_test(function() { ocspResponder.stop(run_next_test); });
  run_next_test();
}

function add_tests() {
  // Test that verifying a certificate with a "short lifetime" doesn't result
  // in OCSP fetching. Due to longevity requirements in our testing
  // infrastructure, the certificate we encounter is valid for a very long
  // time, so we have to define a "short lifetime" as something very long.
  add_test(function() {
    Services.prefs.setIntPref("security.pki.cert_short_lifetime_in_days",
                              12000);
    run_next_test();
  });

  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, [],
                "expected zero OCSP requests for a short-lived certificate");

  add_test(function() {
    Services.prefs.setIntPref("security.pki.cert_short_lifetime_in_days", 100);
    run_next_test();
  });

  // If a "short lifetime" is something more reasonable, ensure that we do OCSP
  // fetching for this long-lived certificate.

  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                [respondWithError],
                "expected one OCSP request for a long-lived certificate");
  add_test(function() {
    Services.prefs.clearUserPref("security.pki.cert_short_lifetime_in_days");
    run_next_test();
  });
  //---------------------------------------------------------------------------

  // Reset state
  add_test(function() { clearOCSPCache(); run_next_test(); });

  // This test assumes that OCSPStaplingServer uses the same cert for
  // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.

  // Get an Unknown response for the *.example.com cert and put it in the
  // OCSP cache.
  add_ocsp_test("ocsp-stapling-unknown.example.com",
                SEC_ERROR_OCSP_UNKNOWN_CERT, [],
                "Stapled Unknown response -> a fetch should not have been" +
                " attempted");

  // A failure to retrieve an OCSP response must result in the cached Unknown
  // response being recognized and honored.
  add_ocsp_test("ocsp-stapling-none.example.com", SEC_ERROR_OCSP_UNKNOWN_CERT,
                [
                  respondWithError,
                  respondWithError,
                  respondWithError,
                  respondWithError,
                  respondWithError,
                  respondWithError,
                ],
                "No stapled response -> a fetch should have been attempted");

  // A valid Good response from the OCSP responder must override the cached
  // Unknown response.
  //
  // Note that We need to make sure that the Unknown response and the Good
  // response have different thisUpdate timestamps; otherwise, the Good
  // response will be seen as "not newer" and it won't replace the existing
  // entry.
  add_test(function() {
    let duration = 1200;
    do_print("Sleeping for " + duration + "ms");
    let timer = Cc["@mozilla.org/timer;1"].createInstance(Ci.nsITimer);
    timer.initWithCallback(run_next_test, duration, Ci.nsITimer.TYPE_ONE_SHOT);
  });
  add_test(function() {
    gGoodOCSPResponse = generateGoodOCSPResponse();
    run_next_test();
  });
  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                [respondWithGoodOCSP],
                "Cached Unknown response, no stapled response -> a fetch" +
                " should have been attempted");

  // The Good response retrieved from the previous fetch must have replaced
  // the Unknown response in the cache, resulting in the catched Good response
  // being returned and no fetch.
  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                [],
                "Cached Good response -> a fetch should not have been" +
                " attempted");


  //---------------------------------------------------------------------------

  // Reset state
  add_test(function() { clearOCSPCache(); run_next_test(); });

  // A failure to retrieve an OCSP response will result in an error entry being
  // added to the cache.
  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                [respondWithError],
                "No stapled response -> a fetch should have been attempted");

  // The error entry will prevent a fetch from happening for a while.
  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, [],
                "Noted OCSP server failure -> a fetch should not have been" +
                " attempted");

  // The error entry must not prevent a stapled OCSP response from being
  // honored.
  add_ocsp_test("ocsp-stapling-revoked.example.com",
                SEC_ERROR_REVOKED_CERTIFICATE, [],
                "Stapled Revoked response -> a fetch should not have been" +
                " attempted");

  //---------------------------------------------------------------------------

  // Ensure OCSP responses from signers with SHA1 certificates are OK. This
  // is included in the OCSP caching tests since there were OCSP cache-related
  // regressions when sha-1 telemetry probes were added.
  add_test(function() {
    clearOCSPCache();
    // set security.OCSP.require so that checking the OCSP signature fails
    Services.prefs.setBoolPref("security.OCSP.require", true);
    run_next_test();
  });

  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                [respondWithSHA1OCSP],
                "signing cert is good (though sha1) - should succeed");

  add_test(function() {
    Services.prefs.setBoolPref("security.OCSP.require", false);
    run_next_test();
  });

  //---------------------------------------------------------------------------

  // Reset state
  add_test(function() { clearOCSPCache(); run_next_test(); });

  // This test makes sure that OCSP cache are isolated by firstPartyDomain.

  let gObservedCnt = 0;
  let protocolProxyService = Cc["@mozilla.org/network/protocol-proxy-service;1"]
                               .getService(Ci.nsIProtocolProxyService);

  // Observe all channels and make sure the firstPartyDomain in their loadInfo's
  // origin attributes are aFirstPartyDomain.
  function startObservingChannels(aFirstPartyDomain) {
    // We use a dummy proxy filter to catch all channels, even those that do not
    // generate an "http-on-modify-request" notification.
    let proxyFilter = {
      applyFilter: function (aProxyService, aChannel, aProxy) {
        // We have the channel; provide it to the callback.
        if (aChannel.originalURI.spec == "http://localhost:8888/") {
          gObservedCnt++;
          equal(aChannel.loadInfo.originAttributes.firstPartyDomain,
                aFirstPartyDomain, "firstPartyDomain should match");
        }
        // Pass on aProxy unmodified.
        return aProxy;
      }
    };
    protocolProxyService.registerChannelFilter(proxyFilter, 0);
    // Return the stop() function:
    return () => protocolProxyService.unregisterChannelFilter(proxyFilter);
  }

  let stopObservingChannels;
  add_test(function() {
    stopObservingChannels = startObservingChannels("foo.com");
    run_next_test();
  });

  // A good OCSP response will be cached.
  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                [respondWithGoodOCSP],
                "No stapled response (firstPartyDomain = foo.com) -> a fetch " +
                "should have been attempted", { firstPartyDomain: "foo.com" });

  // The cache will prevent a fetch from happening.
  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, [],
                "Noted OCSP server failure (firstPartyDomain = foo.com) -> a " +
                "fetch should not have been attempted",
                { firstPartyDomain: "foo.com" });

  add_test(function() {
    stopObservingChannels();
    equal(gObservedCnt, 1, "should have observed only 1 OCSP requests");
    gObservedCnt = 0;
    run_next_test();
  });

  add_test(function() {
    stopObservingChannels = startObservingChannels("bar.com");
    run_next_test();
  });

  // But using a different firstPartyDomain should result in a fetch.
  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
                [respondWithGoodOCSP],
                "No stapled response (firstPartyDomain = bar.com) -> a fetch " +
                "should have been attempted", { firstPartyDomain: "bar.com" });

  add_test(function() {
    stopObservingChannels();
    equal(gObservedCnt, 1, "should have observed only 1 OCSP requests");
    gObservedCnt = 0;
    run_next_test();
  });

  //---------------------------------------------------------------------------

  // Reset state
  add_test(function() { clearOCSPCache(); run_next_test(); });
}
